Solved: Extract values from all matches in regex

pbarford · ‎10-09-2013

I have a line in my log like this

013-09-30 23:55:32,954 [pool-13-thread-18655] INFO c.p.d.r.c.release.MessageReleaser Expiry triggered for [1904614]: L[769] R[770] R[771] R[772] R[773] L[774] R[775] L[776] R[777]

If I run this

sourcetype="log4j" | search "Expiry" | rex "(?L[[0-9]{1,45}])"

it only gives me the first value "L[769]", I want to extract values for all matches. Have search through the forum and haven't found anything to help, any ideas?

gfuente · ‎10-09-2013

Hello

try this:

sourcetype="log4j" | search "Expiry" | rex max_match=10 "(?<seqno>L[[0-9]{1,45}])"

Regards

View solution in original post

gfuente · ‎10-09-2013

Hello

try this:

sourcetype="log4j" | search "Expiry" | rex max_match=10 "(?<seqno>L[[0-9]{1,45}])"

Regards

alacercogitatus · ‎10-09-2013

But you are missing the R values. Do this regex: (?<seqno>[LR]\[[\d]+\])

pbarford · ‎10-09-2013

wow thanks for the quick answer, worked

Extract values from all matches in regex

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres

Are you a member of the Splunk Community?

Extract values from all matches in regex

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres